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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 
Listing of Claims; 

1. ( currently amended) A method of detecting intrusions using a host-based intrusion 
system, comprising: 

reading kernel records; 

reformatting each of the read kernel records into a different format, wherein the different 
format is a memory mapped file: and 

parsing the records and comparing the parsed records against one or more templates. 

2. (original) The method of claim 1, wherein the kernel records include kernel audit logs. 

3. (original) The method of claim 2, wherein the kernel audit logs includes information 
about each system call. 

4. (original) The method of claim 1, comprising monitoring system log files. 

5. (original) The method of claim 1, comprising a system call. 

6. (original) The method of claim 1, wherein the system call was initiated by a library 

call. 

7. (original) The method of claim 3, comprising storing each system call in a circular 

buffer. 
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8. (original) The method of claim 1, comprising determining that an intrusion has 
occurred and generating an alert message. 

9. (original) The method of claim 1, comprising encrypting information sent between the 
host-based intrusion system and a network. 

10. (original) The method of claim 1, comprising displaying an alert message that an 
intrusion has occurred. 

11. (canceled). 

12. (original) The method of claim 4, comprising converting the system log files into an 
ASCII format for comparison against the one or more templates. 

13. (original) The method of claim 2, comprising converting the kernel records into an 
ASCII format for comparison against the one or more templates. 

14. (original) The method of claim 1, wherein the one or more templates is a 
modification of files/directories template. 

15. (original) The method of claim 1, wherein the one or more templates is a change to 
log files template. 

16. (original) The method of claim 1, wherein the one or more templates is a SetUID files 
template. 
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17. (original) The method of claim 1, wherein the one or more templates is a creation of 
world-writables template. 

1 8. (original) The method of claim 1 , wherein the one or more templates is a repeated 
failed logins template. 

19. (original) The method of claim 1, wherein the one or more templates is a repeated 
failed SU commands template. 

20. (original) The method of claim 1, wherein the one or more templates is a race 
conditions attack template. 

21 . (original) The method of claim 1, wherein the one or more templates is a buffer 
overflow attacks template. 

22. (original) The method of claim 1, wherein the one or more templates is a modification 
of another user's file template. 

23. (original) The method of claim 1, wherein the one or more templates is a monitor for 
the start of interactive sessions template. 

24. (original) The method of claim 1, wherein the one or more templates is a monitor 
logins/logouts template. 

15 



Application No.: 09/878,319 



Docket No.: 4536-004 



25. (original) The method of claim 1, wherein the one or more templates is chosen from 
the group including: 

a modification of files/directories template; 
a change to log files template; 

a SetUID files template; 

a creation of world-writables template; 

a repeated failed logins template; 

a repeated failed SU commands template; 

a race conditions attack template; 

a buffer overflow attacks template; 

a modification of another user's file template; 

a monitor for the start of interactive sessions template; and 

a monitor logins/logouts template. 

26. (original) The method of claim 1, wherein the kernel records are read from different 
computers. 

27. (original) The method of claim 1, wherein parsed records are compared against the 
one or more templates using at least one correlator. 

28. (original) The method of claim 1, wherein said parsing step compares the parsed 
records against the one or more templates simultaneously. 

29. (currently amended) A method of detecting changes to critical files/directories, 
comprising: 
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monitoring a predetermined set of files for modifications; 
monitoring a predetermined set of directories for modifications; 

generating an alert for each occurrence of a modification of a monitored file , wherein if a 
directory is specifically excluded and a file in the specifically exclud ed directory is specifically 
included then the file is monitored, and wherein the predetermined set of files includes a syst eni 
kernel file and system kernel configuration files ; and 

generafing an alert for each occurrence of a modification of a monitored directory. 

30. (original) The method of claim 29, comprising: 

determining which files to monitor of all files on a computer to form the predetermined 
set of files; 

determining which directories to monitor of all directories on a computer to form the 
predetermined set of directories. 

31. (currently amended) The method of claim 29, comprising, for each said determining 
step, specifically including a file or directory, specifically excluding a file or director directory , 
or not specifically including or excluding a file or directory. 

32. (original) The method of claim 29, wherein a file or directory which is not 
specifically included or excluded is monitored. 

33. (canceled). 

34. (canceled). 

35. (original) The method of claim 29, wherein the predetermined set of files includes 
/stand/vmunix, /stand/kernel and /stand/bootconf 

36. (original) The method of claim 29, wherein the predetermined set of files includes 
files defining the users on a system and files used to create accounts. 
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37. (original) The method of claim 29, wherein the predetermined set of files includes 
/etc/passwd and /etc/group. 

38. (original) The method of claim 29, wherein the predetermined set of files includes 
files which control what network services are running and which controls programs used to 
fulfill service requests. 

39. (original) The method of claim 29, wherein the predetermined set of files includes 
/etc/inetd.conf. 

40. (original) The method of claim 29, wherein the predetermined set of files includes 
files which are used to control the remote access of the user root without requiring a password. 

41 . (original) The method of claim 29, wherein the predetermined set of files 
includes/.rhosts and /.shosts. 

42. (original) The method of claim 29, wherein the set of files specifically excluded 
includes temporary files created by a program view. 

43 . (original) The method of claim 29, wherein the predetermined set of directories 
includes /bin, /sbin and /usr/bin. 

44 _ 48 (canceled). 



